Certificate Services may not start on a computer that is running Windows Server 2003 or Windows 2000 (842210)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SYMPTOMSOn a computer that is running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server, Certificate Services may not start.
Additionally, the following error message may be logged in the Application log in Event Viewer:Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 42
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description: Certificate Services did not start: Could not build CA certificate chain for ISICA. Cannot find object or property. 0x80092004 (-2146885628). For more information, see Help and Support Center at <http://support.microsoft.com>CAUSEBefore Certificate Services starts, it enumerates all the keys and certificates that have been issued to the certification authority (CA), even if the keys and the certificates have expired. Certificate Services will not start if any one of these certificates has been removed from the local computer Personal certificate store.RESOLUTIONTo resolve this issue, verify that the number of certificate thumbprints in the registry is equal to the number of certificates that have been issued to the CA. If any certificates are missing, import the missing certificates into the local computer Personal certificate store. After you have imported the missing certificates, use the certutil -repairstore command to repair the link between the imported certificates and the associated private key store. To do this, use one of the following methods, depending on which version of the operating system your computer is running. Method 1: Windows Server 2003To resolve this issue on a Windows Server 2003-based computer, follow these steps. Step 1: Look for missing certificatesWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.
To look for missing certificates, follow these steps: - Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Your_Certificate_Authority_Name - In the right pane, double-click CaCertHash.
- Make a note of the number of certificate thumbprints that the Value data list contains.
- Start Command Prompt.
- Type the following command, and then press ENTER: Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."
Step 2: Import the missing certificates- Click Start, point to All Programs, point to Administrative Tools, and then click Certificates.
If Certificates does not appear in the list, follow these steps:- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add.
- In the Snap-in list, click Certificates, and then click Add.
If the Certificates snap-in dialog box appears, click My user account, and then click Finish. - Click Close, and then click OK.
The Certificates directory is now added to Microsoft Management Console (MMC). - On the File menu, click Save as, type Certificates in the File name box, and then click Save.
To open Certificates in the future, click Start, point to All Programs, point to Administrative Tools, and then click Certificates.
- Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.
- On the Welcome page, click Next.
- On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.
- If the file that you want to
import is a Personal Information Exchange - PKCS #12 (*.PFX) file, you will be prompted for the password. Type the password, and then click Next.
- On the Certificate Store page, click Next.
- On the Completing the Certificate Import Wizard page, click Finish.
Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder. Step 3: Install the Windows Server 2003 Administration Tools PackAfter you import the certificates, you must use the Certutil tool to repair the link between the imported certificates and the associated private key store. The Certutil tool is included in the CA Certificate Tools. The Windows Server 2003 CA Certificate Tools are located in the Windows Server 2003 Administration Tools Pack. If the CA Certificate Tools are not installed on your computer, install them now.
To download the Windows Server 2003 Administration Tools Pack, visit the following Microsoft Web site: Step 4: Repair the linksAfter you install the Windows Server 2003 Administration Tools Pack, follow these steps: - Start Command Prompt.
- Type the following, and then press ENTER:
cd %systemroot%\system32\certsrv\certenroll - Make a note of the certificate in the Certenroll folder that looks similar to the following:
Your_Server.Your_Domain.com_rootca.crt - Type the following commands, and then press ENTER after each command:
%systemroot%\system32\certutil -addstore my %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt %systemroot%\System32\certutil -dump %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt Your_Server.Your_Domain.com_rootca.crt is the name of the certificate in the Certenroll folder that you noted in step 3. - In the output from the
last command, near the end, you will see a line that is similar to the following:
Key Id Hash(sha1): ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b The Key Id Hash data is specific to your computer. Make a note of this line. - Type the following command including the quotation marks, and then press ENTER:
%systemroot%\system32\certutil -repairstore my "Key_Id_Hash_Data" In this command, Key_Id_Hash_Data is the line that you noted in step 4. For example, type the following: %systemroot%\system32\certutil -repairstore my "ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b" You will then receive the following output: CertUtil: -repairstore command completed successfully. - To verify the certificates, type the following, and then press ENTER:
%systemroot%\system32\certutil -verifykeys After this command runs, you will receive the following output:CertUtil: -verifykeys command completed successfully.
Step 5: Start the Certificate Services service- Click Start, point to Administrative Tools, and then click Services.
- Right-click Certificate Services, and then click Start.
Method 2: Windows 2000 To resolve this issue on a Windows 2000-based computer, follow these steps. Step 1: Look for missing certificatesWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.
To look for missing certificates, follow these steps: - Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Your_Certificate_Authority_Name - In the right pane, double-click CaCertHash.
- Make a note of the number of certificate thumbprints that the Value data list contains.
- Start Command Prompt.
- Type the following, and then press ENTER: Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."
Step 2: Import the missing certificates- Click Start, point to Programs, point to Administrative Tools, and then click Certificates.
If Certificates does not appear in the list, follow these steps:- Click Start, click Run, type mmc, and then click OK.
- On the Console menu, click Add/Remove Snap-in.
- Click Add
- In the Snap-in list, click Certificates, and then click Add.
If the Certificates snap-in dialog box appears, click My user account, and then click Finish. - Click Close.
- Click OK.
- The Certificates directory is now added to Microsoft Management Console (MMC).
- On the Console menu, click Save as, type Certificates as the file name, and then click Save.
To open Certificates in the future, click Start, point to Programs, point to Administrative Tools, and then click Certificates.
- Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.
- On the Welcome page, click Next.
- On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.
- If the file that you want to import is a Personal Information Exchange - PKCS #12 (*.PFX), you will be prompted for the password. Type the password, and then click Next.
- On the Certificate Store page, click Next.
- On the Completing the Certificate Import Wizard page, click Finish.
Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder. Step 3: Install the Windows Server 2003 Certutil toolsAfter you import the certificates, you must use the Windows Server 2003 CA Certificate Tools to repair the link between the imported certificates and the associated private key store.
The Windows Server 2003 versions of Certutil.exe and Certreq.exe are included in the Windows Server 2003 Administration Tools Pack. To install the tools on a Windows 2000-based computer, you must first install the Windows Server 2003 Administration Tools Pack on a computer that is running Windows Server 2003 or Microsoft Windows XP with Service Pack 1 (SP1) or with a later service pack. The Windows Server 2003 Administration Tools Pack cannot be installed directly on a Windows 2000-based computer. Important After you copy the Windows Server 2003 CA Certificate Tools to the Windows 2000-based computer, two versions of the Certutil tool will reside on the Windows 2000-based computer. Do not remove the Windows 2000 Certutil tool. Other programs depend on the Windows 2000 version of this tool. For example, the Certificates MMC snap-in requires the Windows 2000 Certutil tool. Additionally, do not register the Windows Server 2003 Certcli.dll and Certadm.dll files on the
Windows 2000-based computer.
To use the Windows Server 2003 CA Certificate Tools on a Windows 2000-based computer, follow these steps: - Download the Windows Server 2003 Administration Tools Pack. To do this, visit the following Microsoft Web site:
- Log on to a computer that is running Windows Server 2003 or Windows XP with SP1 or with a later service pack.
- Install the Windows Server 2003 Administration Tools Pack.
- In the Windows Server 2003 Administration Tools Pack, locate the following files, and then copy them to a removable storage medium, such as a 3.5-inch disk:
Certreq.exe
Certutil.exe
Certcli.dll
Certadm.dll - Log on to the Windows 2000-based computer as an administrator.
- Insert the removable storage medium that you used in step 4 into the appropriate drive of the Windows 2000-based computer.
- Start Command Prompt.
- Make a new folder, and then copy the files on the removable storage medium to the new folder. To do this, type the following commands, and then press ENTER after each command:
cd\ md W2k3tool cd w2k3tool copy Removable_Media_Drive_Letter:\cert* Note To avoid conflicts with the Windows 2000 versions of the Certutil tool that is already on the computer, do not include the W2k3tool folder in your system search path.
Step 4: Repair the linksAfter you have copied the Windows Server 2003 CA Certificate Tools files to the Windows 2000-based computer, follow these steps: - Start Command Prompt.
- Type the following, and then press ENTER:
cd %systemroot\system32\certsrv\certenroll - Make a note of the certificate in the Certenroll folder that looks similar to the following: Your_Server.Your_Domain.com_rootca.crt
- Type the following commands, and then press ENTER after each command:
Root_Drive_Letter:\w2k3tool\certutil -addstore my %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt Root_Drive_Letter:\w2k3tool\certutil -dump %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt Root_Drive_Letter is the letter of the root directory.
Your_Server.Your_Domain.com_rootca.crt is the name of the certificate in the Certenroll folder that you noted in step 3. - In the output from the last command, near the end, you will see a line that is similar to the following:
Key Id Hash(sha1): ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b The Key Id Hash data is specific to your computer. Make a note of this line. - Type the following command, including the quotation marks, and then press ENTER:
Root_Drive_Letter:\w2k3tool\certutil -repairstore my "Key_Id_Hash_Data" In this command, Key_Id_Hash_Data is the line that you noted in step 5. For example, type the following: c:\w2k3tool\certutil -repairstore my "ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b" After you have completed this command, you will receive the following output: CertUtil: -repairstore command completed successfully. - To verify the certificates, type the following command, and then press ENTER:
Root_Drive_Letter:\w2k3tool\certutil -verifykeys After this command runs, you will receive the following output:CertUtil: -verifykeys command completed successfully.
Step 5: Start the Certificate Services service- Click Start, point to Administrative Tools, and then click Services.
- Right-click Certificate Services, and then click Start.
Modification Type: | Major | Last Reviewed: | 9/22/2006 |
---|
Keywords: | kbwinservds kbActiveDirectory kbtshoot kbprb KB842210 kbAudITPRO |
---|
|